The Office for Civil Rights at the U.S. Department of Health and Human Services (HHS) recently issued a Bulletin reminding HIPAA covered entities and Business Associates that the use of tracking technology is subject to HIPAA’s Privacy, Security and Breach of Notification Rules when protected health information (PHI) is implicated.
HIPAA covered entities and Business Associates may utilize tracking technology to gage user interaction with a website or mobile application. In some instances, the information collected may include protected health information (PHI), such as an individual’s name, IP address, home address, appointment information, diagnosis and treatment information, etc. In that event, HIPAA requires that only permitted or required disclosures are allowed and HIPAA covered entities may be at risk of violating HIPAA’s Privacy, Security and Breach of Notification Rules if necessary precautions are not taken.
HIPAA covered entities and Business Associates are reminded to ensure that disclosure of PHI to a tracking technology vendor is allowed under HIPAA’s Privacy Rule and that the disclosure is the minimum necessary to achieve the intended purpose. Moreover, simply identifying the use of tracking technology on an entity’s website or mobile application or asking a user to accept the website’s use of tracking technology, like cookies, is not enough. Rather, the entity must ensure that the tracking technology vendor is party to a Business Associate Agreement recognizing the vendor’s duties with respect to HIPAA’s Privacy, Security and Breach Notification Rules and that the disclosure of PHI is permitted.